MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b392f2d4ca451b9b125219b6b4f17d491b76e5dc464cfe47f4963ba356db961f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Cutwail


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b392f2d4ca451b9b125219b6b4f17d491b76e5dc464cfe47f4963ba356db961f
SHA3-384 hash: 2b7187c5b29f01c9eaa8db3762ca1fb3b22034881b87e82ad101b8e7c22b177bfa3d9159036dfed2a706174202a895cd
SHA1 hash: 27ac449559f8b6baded5c10dfdb511ca98d6b7d9
MD5 hash: 39cf228ab20896a83c9021ea8a2427a0
humanhash: arizona-north-uniform-zebra
File name:39cf228ab20896a83c9021ea8a2427a0
Download: download sample
Signature Cutwail
Create hunting rule
File size:199'168 bytes
First seen:2022-06-09 03:37:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0eab09b98c18d699716845418f92678c (7 x RedLineStealer, 1 x Cutwail)
ssdeep 1536:iQfuUUokL1mlP2ErjA6SBVtXOgTNIpo5IUqzpxTCsrmdV+vKrnKWFkDFMsBrfz:iQGL0ZR07IgTapo5ottrsfAMkrf
Threatray 10 similar samples on MalwareBazaar
TLSH T14A14BE20B3F1C072E1B71A304475E5E11E7ABD12F6B4818F6BA8167A6F203909F79797
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5c599a3ce0c1c850 (36 x RedLineStealer, 27 x Stop, 21 x Smoke Loader)
Reporter zbetcheckin
Tags:32 Cutwail exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
320
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
39cf228ab20896a83c9021ea8a2427a0
Verdict:
Malicious activity
Analysis date:
2022-06-09 03:39:39 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/955facf9-5c76-42b1-86ba-8245b6101d1d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/277993/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.63562.15836.31291.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62a16b1ea2b1fc9744d84682/reports/424f334c-c156-4d7e-8544-6ad455a83730/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Cutwail
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cbc7cbda-7422-4bbf-ab0d-d646de0e7b57
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1009625
Signature
Antivirus detection for URL or domain
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the user root directory
Found evasive API chain (may stop execution after checking mutex)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to resolve many domain names, but no domain seems valid
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 642120 Sample: IW9C25cFaN Startdate: 09/06/2022 Architecture: WINDOWS Score: 100 42 www.valselit.com 2->42 44 www.jacomfg.com 2->44 46 425 other IPs or domains 2->46 66 Snort IDS alert for network traffic 2->66 68 Antivirus detection for URL or domain 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 Machine Learning detection for sample 2->72 7 pigalicapi.exe 48 2->7         started        11 IW9C25cFaN.exe 3 68 2->11         started        14 pigalicapi.exe 48 2->14         started        signatures3 74 Tries to resolve many domain names, but no domain seems valid 44->74 process4 dnsIp5 56 152 other IPs or domains 7->56 76 Multi AV Scanner detection for dropped file 7->76 78 Detected unpacking (changes PE section rights) 7->78 80 Detected unpacking (overwrites its own PE header) 7->80 94 3 other signatures 7->94 16 svchost.exe 7->16         started        48 108.167.164.216, 49771, 49860, 49938 UNIFIEDLAYER-AS-1US United States 11->48 50 162.214.120.26, 49769, 49858, 49936 UNIFIEDLAYER-AS-1US United States 11->50 58 216 other IPs or domains 11->58 24 C:\Users\user\pigalicapi.exe, PE32 11->24 dropped 26 C:\Users\...\pigalicapi.exe:Zone.Identifier, ASCII 11->26 dropped 82 Contains functionality to inject threads in other processes 11->82 84 Drops PE files to the user root directory 11->84 86 Contains functionality to inject code into remote processes 11->86 20 svchost.exe 11->20         started        52 www.dayvo.com 14->52 54 rast.se 14->54 60 148 other IPs or domains 14->60 88 Writes to foreign memory regions 14->88 90 Injects a PE file into a foreign processes 14->90 22 svchost.exe 14->22         started        file6 92 Tries to resolve many domain names, but no domain seems valid 54->92 signatures7 process8 dnsIp9 28 87.248.97.31, 25, 50089 YAHOO-IRDGB United Kingdom 16->28 30 smtp1.sbc.mail.am0.yahoodns.net 67.195.12.38, 25, 50043 YAHOO-GQ1US United States 16->30 36 9 other IPs or domains 16->36 62 System process connects to network (likely due to code injection or exploit) 16->62 64 Contains functionality to inject threads in other processes 16->64 32 smtp.mail.global.gm0.yahoodns.net 87.248.97.36, 25, 50051 YAHOO-IRDGB United Kingdom 20->32 34 204.79.197.212, 25 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 20->34 38 4 other IPs or domains 20->38 40 2 other IPs or domains 22->40 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b392f2d4ca451b9b125219b6b4f17d491b76e5dc464cfe47f4963ba356db961f/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-06-07 16:02:19 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wojpfvgkiunzwessdg3lj4l5jenxnzo4izgp4r7usy52gvw3sypq._file
Verdict:
malicious
Similar samples:
02fe1e05ca2f07215863e2a1fb3b5a00964ed07ffa2ddee45cf6ee8af10aff90
Cutwail
095a3f84debd7481b880016a770c211a793847f61c72499b4702b16fd9666b28
Cutwail
181e69353ba4190572b8ab171545452cf9ad4dac32c0c2c2c6716853fc604c88
Cutwail
3506cb5aede37423e0c1542075d889ce8884edcc9bd7031a7fe54211d43e36c1
Cutwail
5b3a8ff94b27ba20933e4850821591f20b6c1bf2d9141bb3870d81b8a457ed83
Cutwail
85e499e0c1e7395fbcdefe961afac42b0a333e0004084f55707ab53ca97fc4dc
Cutwail
9933468292efeb6b2c9d2c8e36bbe818aebe7e46eeb6d7e25a8299b4e90f3ab6
Cutwail
b31bacca7824f68859ded0863bac01fd8844eaf00558fe505557f94e1da1e8c5
Cutwail
dfde4df8173b90daa38575d60c96bfc157e045a04e16e46bf073a64fdfd1285e
Cutwail
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence suricata upx
Link:
https://tria.ge/reports/220609-d627qabhcq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
suricata: ET MALWARE Backdoor.Win32.Pushdo.s Checkin
Unpacked files
SH256 hash:
fdc68ffd0e5cb3f319eddf083c7e5774ed74a4f86acf212e35ff0dc4f4e91a3c
MD5 hash:
8b3b037e6ba76e4aae95355902278a63
SHA1 hash:
ae607d9392f93b035363f57b90719f058cd69a0a
Detections:
win_pushdo_auto
Create hunting rule
Link:
https://www.unpac.me/results/9b446069-a681-40ef-81ce-a545ed35a671/
Parent samples :
b392f2d4ca451b9b125219b6b4f17d491b76e5dc464cfe47f4963ba356db961f
c0183ded48b43c6bebca6093caf1d8d5a85f7c651aeb6caf86e55819d14238ba
b1a705cc5dadd4aece01bedec08657b96398d09e610d99cd14f0896825d70d09
6618359d4d19997728359453b0598be7562c293ef9d6ac51f2635586096a52bd
987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7
f8ef3e3b18e72eebb4b18edbc90f7f5851ab0af044473fa2856fc974f0c33d6c
7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6
SH256 hash:
f812cff25ac78391ad0621231aa8556d459a3cea3205a04b097744f1e0116a60
MD5 hash:
ab0fa68fdf4a67b3a404250f073e15ba
SHA1 hash:
7eb499acfbe7a3d4d536ab2de8e95be4d7234bbf
Link:
https://www.unpac.me/results/9b446069-a681-40ef-81ce-a545ed35a671/
SH256 hash:
b392f2d4ca451b9b125219b6b4f17d491b76e5dc464cfe47f4963ba356db961f
MD5 hash:
39cf228ab20896a83c9021ea8a2427a0
SHA1 hash:
27ac449559f8b6baded5c10dfdb511ca98d6b7d9
Link:
https://www.unpac.me/results/9b446069-a681-40ef-81ce-a545ed35a671/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b392f2d4ca45/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b392f2d4ca451b9b125219b6b4f17d491b76e5dc464cfe47f4963ba356db961f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_pushdo_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.pushdo.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Cutwail

Executable exe b392f2d4ca451b9b125219b6b4f17d491b76e5dc464cfe47f4963ba356db961f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2230693/
Cape
Cape
https://www.capesandbox.com/analysis/277993/

Comments


Avatar
zbet commented on 2022-06-09 03:37:27 UTC

url : hxxp://37.120.222.121/store/items/74.exe